Dropbox, as LinkedIn did a week ago, filed an amicus brief yesterday with the United States Foreign Intelligence Surveillance Court (FISC) requesting permission to publish the number of National Security Letter requests the cloud storage company receives.

Dropbox followed LinkedIn’s lead, arguing in its brief that the government’s proposal that companies be allowed to report NSL requests in aggregates of 1,000 works against transparency.

“It would shed almost no light on the data requests Dropbox receives, and could foster the impression that Dropbox received many more national-security requests than it did,” Dropbox wrote in its brief.

Dropbox has been publishing annual transparency reports for almost two years; early this year, it reported 87 requests for information affecting 164 accounts between January and December 2012, for which it complied with 82 percent of those requests. The report, however, did not include national security requests because, Dropbox said, if for example it had received only one NSL request last year, it would have to report it as having received between one and 1,000 requests.

“It would also obfuscate the number of law-enforcement requests Dropbox received in 2012, many of which were not sealed and are in the public record. Because Dropbox is unwilling to distort its reporting this way, it instead must omit information about the number of national-security requests,” Dropbox wrote. “That result is bad for the public. Dropbox would prefer to report any national-security requests in the same way it reports law-enforcement requests: by publishing the total number of requests received over a given period along with the number of affected accounts.”

The conundrum here, experts argue, is not with large companies such as Dropbox or Google, but for smaller companies not to report NSL requests. For example, should a small ISP with fewer than 100 customers report it received 50 NSL requests, that information would tip off terrorists or criminals that the ISP is being targeted by the government.

Google, Microsoft, Facebook and Yahoo each filed similar briefs with FISC, arguing as LinkedIn and Dropbox have, that the government’s denial violates these companies’ First Amendment rights to free speech and affects their ability to maintain a trustworthy relationship with users with regard to government access to their data. These requests for additional transparency began shortly after Edward Snowden’s leaked documents were published and the depths of NSA surveillance of Americans in the name of national security were made public.

“The government is violating these rights by ordering private parties to keep quiet on an important matter involving the government’s conduct. In doing so, it is preventing the public from learning basic facts about how the government is using its national-security powers,” Dropbox wrote. “No harm to national security can be expected from the Service Providers releasing accurate information about the number of national-security requests that have been made.”

Director of National Intelligence James Clapper, meanwhile, said that the government will be releasing aggregate data on the number of NSL requests it makes of Internet companies. Dropbox argues not only that the government’s ban impedes trust between the company and its users, but that it negatively impacts companies that receive proportionately few NSL requests.

“No harm to national security can be expected from the Service Providers (Google, Microsoft, et al) releasing accurate information about the number of national security requests that have been made,” Dropbox wrote. “We are talking about aggregate numbers that should have been made public months ago.”

Categories: Privacy

Comment (1)

  1. David A. Lessnau
    1

    “…should a small ISP with fewer than 100 customers report it received 50 NSL requests, that information would tip off terrorists or criminals that the ISP is being targeted by the government.”

    Well, in this country, you’ve got your assumptions backward. The last clause should read:

    “…that information would tip off CUSTOMERS that the government thinks half the customers of the ISP are terrorists or criminals.”

    Again, in this country, people are innocent until proven guilty. The presumption should be that the government (not the individual) is the entity bearing watching (you know, the basis for our Constitution).

Comments are closed.